Detections
Analytics

4.1.2 Ensure a trusted certificate and trust chain is installed

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Certificates and their trust chains are needed to establish the identity of a web server as legitimate and trusted. Certificate authorities validate a web server's identity and that you are the owner of that web server domain name.

Rationale:

Without a certificate and full trust chain installed on your web server, modern browsers will flag your web server as untrusted.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Use the following procedure to install a certificate and its signing certificate chain onto your web server, load balancer, or proxy.

Step 1: Create the server's private key and a certificate signing request.

The following command will create your certificate's private key with 2048-bit key strength. Optionally, this parameter may be changed to 4096 for greater security. It will also output your certificate signing request to the nginx.csr file in your present working directory.

openssl req -new -newkey rsa:2048 -keyout nginx.key -out nginx.csr

Enter the below information about your private key:

Country Name (2 letter code) [XX]: Your Country
State or Province Name (full name) []: Your State
Locality Name (eg, city) [Default City]: Your City
Organization Name (eg, company) [Default Company Ltd]: Your City
Organizational Unit Name (eg, section) []: Your Organizational Unit
Common Name (eg, your name or your server's hostname) []: Your server's DNS name
Email Address []: Your email address

Step 2: Obtain a signed certificate from your certificate authority.

Provide your chosen certificate authority with your certificate signing request. Follow your certificate authority's signing procedures in order to obtain a certificate and the certificate's trust chain. A full trust chain is typically delivered in .pem format.

Step 3: Install certificate and signing certificate chain on your web server.

Place the .pem file from your certificate authority into the directory of your choice. Locate your created key file from the command you used to generate your certificate signing request. Open your website configuration file and edit your encrypted listener to leverage the ssl_certificate and ssl_certificate_key directives for a web server as shown below. You should also inspect include files inside your nginx.conf. This should be part of the server block.

server {
 listen 443 ssl http2;
 listen [::]:443 ssl http2;
 ssl_certificate /etc/nginx/cert.crt;
 ssl_certificate_key /etc/nginx/nginx.key;
 ...
 }

After editing this file, you must recycle nginx services for these changes to take effect. This can be done with the following command:

sudo systemctl restart nginx

Default Value:

No certificate is installed by default.

See Also

https://workbench.cisecurity.org/files/4538

Item Details

References: CSCv7|14.4

Plugin: Unix

Control ID: ef92504fc0ee074d884cecaa8c582b1f1ee54d0c37a85f5028ee4d3222a9ba85